Does certbot have any plans to implement this feature? I think we'll probably sit this one out until the dust settles and a certbot implementation would be a strong indicator of readiness.
The Profiles Extension lacks clarity regarding the behavior when a newOrder request is received without specifying a particular profile. This raises concerns about backward compatibility, particularly if the selected profile differs from the traditional classic profile. Could the Let's Encrypt team confirm whether, in such cases, the classic profile will be selected by default?
If the server is advertizing profiles and receives a newOrder request
which does not identify a specific profile, it is RECOMMENDED that
the server select a profile and associate it with the new Order
object.
{
"status": "valid",
"expires": "2025-01-01T12:00:00Z",
"profile": "profile1",
"identifiers": [{"type": "dns", "value": "example.org"}],
"authorizations": ["https://example.com/acme/authz/PAniVnsZcis"],
"finalize": "https://example.com/acme/order/TOlocE8rfgo/finalize",
}
2 Likes
Not sure if the draft lacks anything: it clearly recommends what the CA should do, but does not mandate it. E.g., a CA could choose one of the profiles or could refuse such an order, making it mandatory to select one. As I read the draft, it's up to the CA to decide what to do when a profile is missing from the newOrder.
That said, I am missing any statement from the CA Let's Encrypt with regard to the default profile or how they'd handle requests without a profile. I assume it will be the classic profile, but assumptions are the … of all …, so it would be nice of LE to confirm or deny this.
1 Like
I would expect the draft to connect to real life use-cases and at least mention backward compatibility and migration considerations for the CA to evaluate. Would be good if LE confirm this.